"ltbarcly" <[EMAIL PROTECTED]> writes: > I would suggest that it not accept external connections by default, and > that it would scroll an obvious warning/error in the terminal where the > start script is run saying something like "****Attempt made to connect > to server from another computer, IP=xxx.xxx.xxx.yyy. By default this > attempt is rejected, however to enable remote viewing of this TG web > app uncomment the line X from your dev.cfg file.****
So you're suggesting that it binds to localhost only to answer incoming requests and bind to all other addresses to register supposed connection attempts? > It is a wrong behavior to start serving pages by default. I know > apache does it depending on how it is installed, but generally security > should be on by default. I agree that the log message is wrong. It says: 2006-08-30 22:24:13,914 cherrypy.msg INFO HTTP: Serving HTTP on http://localhost:8080/ But in fact it is listening on all addresses on port 8080: 22:25 jupiter:~ > LANG= netstat -ant | grep 8080 tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 22:25 jupiter:~ > The log message should be clearer about the real situation, so either this is a bug in the software or in the log message. > Let's just hope there aren't ever any remote exploits in a default > install of TG, and this will be mostly a non-issue. (I'm pessimistic) Anyone exposing a development environment to the web is asking for troubles. Anyone putting up a production environment without carefully configuring it is asking for trouble as well. A default TG install just shows the "welcome to TG" page. If you changed it you should also have changed the configuration files. IMHO the message should be clearer about where CP is listening for connections. And the default production setup should be binding to all ports, since it is what makes more sense for deployment. For development I also like this behavior, but I don't have problems with CP binding only to localhost. -- Jorge Godoy <[EMAIL PROTECTED]> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears -~----------~----~----~----~------~----~------~--~---
